According to the most recent Verizon data breach report, a phishing email is often the first phase of an attack. That's because it works well, with 30 percent of phishing messages opened, but only 3 percent reported to management.

But when employees are trained on how to spot phishing emails, and then get tested with mock phishing emails, the percent who fall victim decreases with each round.

Of course, it's impossible to get to a zero response rate. The criminals are becoming extremely clever with their messages. Fortunately, it's not necessary. If enough employees forward phishing emails to security, then the company becomes aware that it is the target of a campaign, and be prepared to deal with those messages that do slip through.

Another free tool is MSI Simple Phish from MicroSolved, which allows security teams to run their own phishing tests inside their organization.

BetterCloud, which offers security and monitoring services for cloud-based office applications, started worrying about phishing when another company in their office building lost $2 million to a phishing scam, and their cybersecurity insurance would not cover the cost.

"Their business took a really bit hit," said Austin Whipple, the company's senior security engineer. "It was hard to recover from that."

In response, BetterCloud ran a company-wide training, then created its own phishing email campaign that seemed to be a note from the HR system, but actually came from an external email address. This was followed up with more education.

"Compared to other organizations, or to the Verizon report, we did fairly well," he said. "But there are still some areas we can improve on."

Once some time has passed, there will be another phishing test, he added. The employees forward suspicious emails to him personally, he added, and it's clear that the company has already been specifically targeted because some of the real phishing emails include inside information that would have required some research.

"Any one tech person can do this whole thing," he said. "It doesn't take a massive amount of set up. Educate your people, do the test, then educate the people again, and do a follow-up test."

PhishMe

PhishMe’s phishing simulation, training and reporting platform is used by more than 800 customers world-wide, including nearly half of the Fortune 100, to proactively engage thousands of employees in simulations that condition them to detect and report phishing threats.

PhishMe also offers a phishing incident response platform, which automates and prioritizes reported phishing emails for faster response, and a threat intelligence service that helps threat analysis vet the phishing activity they see against verified external threats.

By combining awareness training, easy reporting, and appropriate security responses, employees can go from being a company's biggest security weakness to its first line of protectiong.

"Humans are the most powerful layer of defense against spear phishing, and organizations need to leverage every security benefit humans can provide to remain protected against this top attack vector," said Rohyt Belani, CEO at PhishMe.

PhishMe also offers a dozen free training modules, available in the form of interactive PDF files or SCORM-compliant files that can be run through a company's learning management system.

"Make the simulations as realistic as possible," recommends John LaCour, founder and CEO at PhishLabs. "If you want your employees to spot and report real-world attacks, the simulations need to mirror the real-world attacks they are most likely to see."

In addition, once employees do report the attacks, a company needs to have processes in place so that they can respond to targeted attacks early on, when they're the least costly to mitigate.

"But that can’t happen if those reports just sit in a helpdesk queue," he added.

It's important not to test employees on the same kind of phishing message over and over again, said Steve Conrad, managing director at MediaPro Holdings, LLC

"Not all phishing campaigns are equal, nor should they be," he said. "You need to use a model that sends phishing messages of varying complexity and sophistication, and those are going to generate different kinds of results. Sending the same, or similar, messages to your end-users will show great results in a phishing report—your click-through rates will go down—but it will not accomplish your business goal."

It makes sense that the company continues to focus on research, and it regularly puts out research reports about phishing trends and training effectiveness. For example, Wombat worked with the Ponemon Institute to determine that the average-performing program resulted in a 37-fold return on investment,

According to Joe Ferrara, CEO at Wombat Security Technologies, phishing costs the average 10,000-employee organization $3 million a year -- and a successful training program can reduce the number of employees falling for phishing attacks by up to 90 percent.

One key to a successful program, he said, is to automatically schedule the employee for a phishing training module when they fail a phishing test.

That's the point where they're most motivated to improve, he said.

Inspired eLearning

The company offers anti-phishing training, simulated phishing attacks, a monthly newsletter, posters, digital signage, and other job aids to provide a constant stream of tips and best practices that can help keep security top-of-mind for employees.

The company says that it has more than five million users worldwide, and the programs reduce phishing succeptibility by more than 92 percent.

Its PhishProof product is available as a completely managed service where the company's team of experts designs and deploys assessments and training, or as a software-as-a-service model with online software that can be used to create and deploy assessment within minutes.

In addition to training and simulations, the company also offers measurement tools that allow companies to track the success of their programs. One measurement, for example, which can be used for gamification, is risk-based scoring. Enterprises can set up custom dashboards where training scores can be compared by individual employees, departments or other groups, or to internal or external benchmarks.

InfoSec Institute

But they also offer interactive online training modules for security awareness. Their SecurityIQ product combines computer-based security awareness training and a phishing simulator in one cloud-based service. Companies can set up automated campaigns to send phishing tests to employees over time, or to enroll and remind learners to take their security awareness training.

Although it's possible to build an anti-phishing training and testing program internally, vendors such as InfoSec Institute and the others listed above offer some significant advantages to the enterprise.

"Oftentimes, organizations aren’t equipped to provide great education, internally," said Mike Spanbauer, vice president of security test and advisory at NSS Labs.

Vendors who focus specifically on phishing are aware of new trends in phishing emails and can incorporate the tactics into their training programs and anti-phishing simulation templates quickly.

This story, "10 companies that can help you fight phishing" was originally published by
CSO.